Event logs on last 3 Halts

I have gone through all the KB suggestions for PS, here are the last 3 event logs when the program was attempting redraws.....
Faulting application name: Photoshop.exe, version: 15.0.0.58, time stamp: 0x536b438e
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000005
Fault offset: 0x000000000005320e
Faulting process id: 0x1b30
Faulting application start time: 0x01cfab63d4e5d7b5
Faulting application path: C:\Program Files\Adobe\Adobe Photoshop CC 2014\Photoshop.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 8101b774-1757-11e4-b423-0026832f9260
The program Photoshop.exe version 14.2.1.570 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 1b80
Start Time: 01cfab5b0839db71
Termination Time: 5096
Application Path: C:\Program Files (x86)\Adobe\Adobe Photoshop CC\Photoshop.exe
Report Id:
Faulting application name: Photoshop.exe, version: 15.0.0.58, time stamp: 0x536b438e
Faulting module name: Photoshop.exe, version: 15.0.0.58, time stamp: 0x536b438e
Exception code: 0xc0000005
Fault offset: 0x0000000001a852d5
Faulting process id: 0x5dc
Faulting application start time: 0x01cfab559cc75f9c
Faulting application path: C:\Program Files\Adobe\Adobe Photoshop CC 2014\Photoshop.exe
Faulting module path: C:\Program Files\Adobe\Adobe Photoshop CC 2014\Photoshop.exe
Report Id: b8222079-174c-11e4-b423-0026832f9260

Check from v$archived_log
SQL> alter session set nls_date_format='YYYY/MM/DD HH24:MI:SS';
SQL> select name, completion_time, status from v$archived_log order by completion_time

Similar Messages

Export all Errors and warnings event logs from Application, security and system for last 24 hours and send it to IT administrators.

Dear Team,
I want a powershell script to export servers event logs into excel and it send that file to IT administrators.
Excel format:
Server Name, Log Name, Time, Source, Event ID and Message.
Require logs:
Application, Security, System, DFS Replication and Directory service.
And these excel file has to be send to Email address.
And it would be good, if i get a script same for Hard disk space and RAM and CPU utilization.

Here are some examples:
http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=logs&f%5B0%5D.Text=Logs%20and%20monitoring&f%5B1%5D.Type=SubCategory&f%5B1%5D.Value=eventlogs&f%5B1%5D.Text=Event%20Logs
¯\_(ツ)_/¯

Search for records in the event viewer after the last run (not the entire event log), remove duplicate - Output Logon type for a specific OU users

Hi,
The following code works perfectly for me and give me a list of users for a specific OU and their respective logon types :-
$logFile = 'c:\test\test.txt'
$_myOU = "OU=ABC,dc=contosso,DC=com"
# LogonType as per technet
$_logontype = @{
2 = "Interactive"
3 = "Network"
4 = "Batch"
5 = "Service"
7 = "Unlock"
8 = "NetworkCleartext"
9 = "NewCredentials"
10 = "RemoteInteractive"
11 = "CachedInteractive"
Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0""
or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>" -ComputerName
"XYZ" | ForEach-Object {
#TargetUserSid
$_cur_OU = ([ADSI]"LDAP://<SID=$(($_.Properties[4]).Value.Value)>").distinguishedName
If ( $_cur_OU -like "*$_myOU" ) {
$_cur_OU
#LogonType
$_logontype[ [int] $_.Properties[8].Value ]
#Time-created
$_.TimeCreated
$_.Properties[18].Value
} >> $logFile
I am able to pipe the results to a file however, I would like to convert it to CSV/HTML When i try "convertto-HTML"
function it converts certain values . Also,
a) I would like to remove duplicate entries when the script runs only for that execution.
b) When the script is run, we may be able to search for records after the last run and not search in the same
records that we have looked into before.
PLEASE HELP !

If you just want to look for the new events since the last run, I suggest to record the EventRecordID of the last event you parsed and use it as a reference in your filter. For example:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4624 and
EventRecordID>46452302)]]</Select>
<Suppress Path="Security">*[EventData[Data[@Name="SubjectLogonId"]="0x0" or Data[@Name="TargetDomainName"]="NT AUTHORITY" or Data[@Name="TargetDomainName"]="Window Manager"]]</Suppress>
</Query>
</QueryList>
That's this logic that the Server Manager of Windows Serve 2012 is using to save time, CPU and bandwidth. The problem is how to get that number and provide it to your next run. You can store in a file and read it at the beginning. If not found, you
can go through the all event list.
Let's say you store it in a simple text file, ref.txt
1234
At the beginning just read it.
Try {
$_intMyRef = [int] (Get-Content .\ref.txt)
Catch {
Write-Host "The reference EventRecordID cannot be found." -ForegroundColor Red
$_intMyRef = 0
This is very lazy check. You can do a proper parsing etc... That's a quick dirty way. If I can read
it and parse it as an integer, I use it. Else, I just set it to 0 meaning I'll collect all info.
Then include it in your filter. You Get-WinEvent becomes:
Get-WinEvent -FilterXml "<QueryList><Query Id=""0"" Path=""Security""><Select Path=""Security"">*[System[(EventID=4624 and EventRecordID>$_intMyRef)]]</Select><Suppress Path=""Security"">*[EventData[Data[@Name=""SubjectLogonId""]=""0x0"" or Data[@Name=""TargetDomainName""]=""NT AUTHORITY"" or Data[@Name=""TargetDomainName""]=""Window Manager""]]</Suppress></Query></QueryList>"
At the end of your script, store the last value you got into your ref.txt file. So you can for example get that info in the loop. Like:
$Result += $LogonRecord
$_intLastId = $Event.RecordId
And at the end:
Write-Output $_intLastId | Out-File .\ref.txt
Then next time you run it, it is just scanning the delta. Note that I prefer this versus the date filter in case of the machine wasn't active for long or in case of time sync issue which can sometimes mess up with the date based filters.
If you want to go for a date filtering, do it at the Get-WinEvent level, not in the Where-Object. If the query is local, it doesn't change much. But in remote system, it does the filter on the remote side therefore you're saving time and resources on your
side. So for example for the last 30 days, and if you want to use the XMLFilter parameter, you can use:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[TimeCreated[timediff(@SystemTime) <= 2592000000]]]</Select>
</Query>
</QueryList>
Then you can combine it, etc...
PS, I used the confusing underscores because I like it ;)
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Questions about BT Home Hub 4A event log - WIFI c...

Hope someone can help please ?
I had BT inifinity installed 2 weeks ago with the HH 4 (type A) and everything has worked - connection found, no problem.
This week, my ipod touch was unable to join the network but the iphone 5, another ipod and a tablet could connect without a problem. The ipod touch managed to connect to another WIFI used at the property and my work wifi without a problem.
I thought it maybe the ipod touch as it was quite old but that doesn't make sense since it connects fine to other networks. I restored network settings and other options suggested by Apple but to no avail.
I have turned my attention to the Hub. My laptop (older than the ipod touch) gets the connection no problem along with the other devices. I went into the hub management page but I am not smart enough to decifer the event log so would like some help so I can fix this because I thought BT infinity was the better more reliable option?
The ipod touch Wifi IP address is 00:25:00:b7:35:f6.
On the event log, it shows STA before the address - but it shows STA before all the device IP addresses. Should I change this to DCHP ? or is this (Static ? alright)
The Lease on all the devices on the event log is set to 1440 min. (1 day) is that alright too, what does it mean ?
Do I have to keep renewing the lease ? How do I do that ? I read it can be set to 21 days ?
Going back to the IP address on the ipod it shows the Hostname as 00:25:00:B7:35:f6-2 this is different to the IP address with the -2. Could that be a cause of the unable to join network or is it because I attempted to recreate the network on the ipod so its the second version of that host name ?
Is there any setting I can change to fix this because I am concerned the same this will happen to the other devices and then the laptop....
What do I need to do to be able to get my ipod touch to connect to the BT network setting ?
I think its the hub 4A causing the 'block' on the ipod touch not the device and I think its maybe a matter of changing a setting - but then why was it all fine before when Infinity was first installed ?
Lastly my laptop (7 Years old) seems to be attached to the 5GHZ Wireless channel - is that alright ? The other more recent devices are on the 2.4ghz channel (except the ipod touch which isn't on any !!)
Is it alright to turn the hub on / off ? -I am resisting that because I don't want to make the situation worse.
Sorry but what does client disassociated mean and all the BLOCKS - do they relate to firewall ?
Please can you review the event log and my questions ?
Many thanks
angie 2601
The time frame is 3.55am 8/8/2013 - 7.16 am 8/8/2013
(Latest (7.16am) at the top
Message
07:16:39, 08AUG
(1224785.050000) Admin login successful by 192.168.1.64 on HTTP (1224766.610000) Admin login FAILED by 192.168.1.64 on HTTP (1224648.050000) New GUIsession from IP 192.168.1.64
(1224466.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disassociated
(1224362.750000) lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1224362.750000) Device connected: Hostname:Unknown-d8:d1:cb:ec:a6:feiP:
192.168.1.65 MAC:d8:dl:cb:ec:a6:fe lease time: 1440 min. link rate:90.0 Mbps
(1224362.690000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
(1224241.150000) lease for IP 192.168.1.64 renewed by host FAMILY (MAC
00:13:02:de:6d:e6). Lease duration:1440 min
(1224241.150000) Device connected: Hostname: FAMii.Y IP:192.168.1.64 MAC:
00:13:02:de:6d:e6 Lease time: 1440 min. link rate: 54.0 Mbps
(1224241.090Cl00) Lease requested
wlan1TA 00:13:02:de:6d:e6 IEEE 802.11:Client associated
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:34905->31.13.72.38:443 on ppp1)
(1223644.770000) Device disconnected: Hostname: Unknown-d8:dl:cb:ec:a6:fe
IP: 192.168.1.65 MAC: d8:d1:cb:ec:a6:fe
wlanl: STA d8:d1:cb:ec:a6:-fe IEEE 802.11:CHent diSassociated
(1223489.390000) Lease for IP 192.168.1.65 renewed by host Unknown d8:d1:cb:ec:a6:fe (MAC d8:d1:cb:ec:a6:fe).lease duration:1440 min (1223489.380000) Device connected:Hostname:Unknown-d8:dl:cb:ec:a6:fe IP:
192.168.1.65 MAC: d kd1:cb ec:-a6-:fe Lease time: 1440 min. Link rare: 90.0 Mbps
(1223489.330000) Lease requested
wlan1: STA d8:d1:cb:ec:a6:fe IEEE 802.11: Client associated wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11: Client disasSociated
wlan1TA d8:d1:cb:ec:a6:fe IEEE 802.11:Client associated
OUT;BLOCK [9] Packet i valid in connection (TCP
192.168.1.66:34375->31.13.72.38:443 on pppl)
l'N':BLOCK [16-} Remote administration {ICMP type 8 code 0
117.1.42.94->86.182.228.205 on ppp1)
IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:44156 on ppp1) IN: BLOCK [9] Packet invalid in connection (TCP
31.13.72.33:443->86.182.228.205:36615 on ppp1)
OUT: BLOCK [9] Packet invalid in connection (TCP
192.1-68.1.68:49476->173.252.103.16:443 OR ppp1)
BLOCKED 5 more packets (because of Packet invalid in connection) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.68:49443->95.100.195.205:443 on ppp1)
OUT:BLOCK {9] PaCket invalid in connection (TCP
192.168.1.68:49438->95.100.194.217:443 on ppp1)
IN:BLOCK [9] Packet invalid in connection (TCP
95.100.194.217:443->86.182.228.205:49444 on ppp1)
(1222111.810000) Lease for IP 192.168.1.68 renewed by host Unknown-
70:56:81:46:bf:d9 (MAC 70:56:81:46:bf:d9).Lease duration:1440 min
(1222111.810000) Device connected:Hostname:Unknown-70:56:81:46:bf:d9 IP:,
192.168.1.68 MAC:70:56:8:t:46:bf:d9lease time:1440 min. Link rate:52.0 Mbps
(1222111.750000) Lease requested .-
wlanO: STA 70:56:81:46:bf:d9 IEEE 802.11: Client associated • (1222093.690000) Device dlsconn: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168. MAC: 00:25:00:b7:35:f6 wlanoTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66-:43272->31.13.72.33:443 on ppp1)
221969.130000) lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1221969.130000} Devicconnected: Hostname·:Unknowwoo·:25:00:b7 35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1221969.070000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
(1220365.290000) Device disconnected: Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1220348.230000) Lease for IP 192.168.1.67 renewed by host Unlmown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6).lease duration: 1440 min
(1220348.230000) Device connected: Hostname:Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1220348.170000) lease requested
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client associated
IN: BLOCK f16] Remote administration (TCP
123.151.42.61:12233->86.182.228.205:8080 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
:t92.Hi8.1.66:53813->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:43989->31.13.72.33:443 on ppp1)
IN: BLOCK [16] Remote administration (ICMP type 8 rode 0
2.7.251.109.227->86.182.228.205 on pppl)
(1216770.650000) Device disconnected:Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6
OUT:BLOCK [9j Packet invalid in connection (TCF
192.168.1.67:49180->74.125.136.109:993 on ppp1)
wlanOTA 00:25:00:b7:35:f6 IEEE 802.11:Client disassociated
(1216753.280000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min
(1216753.270000) Device connected: Hostname: Unknown-00:25:00:b7:35:f6-2
IP: 192.168.1.67 MAC: 00:25.:00-:.b7.:35:f6 Lease time: 1440 min. Unk rate: 54.0
Mbps
(1216753.220000) lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11:Client assodat
OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:55944->23.21.78.229:443 on ppp1)
OUT: BLOCK [9J Packet invafid in connection (TCP
192.168.1.66:34794->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:41441->31.13.72.33:443 on ppp1)
{1213176.020000) Device disconnected:.Hostname:Unknown-
00:25:00:b7:35:f6-2 IP: 192.168.1.67 MAC:00:25:00:b7:35:f6 wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client disassociated
(1213158.410000) Lease for IP 192.168.1.67 renewed by host Unknown-
00:25:00:b7:35:f6-2 (MAC 00:25:00:b7:35:f6). lease duration:1440 min _./:\ (1213158.400000) Device connected:Hostname:Unknown-00:25:00:b7:35:ftt.Y IP: 192.168.1.67 MAC: 00:25:00:b7:35:f6 Lease time: 1440 min.Unk rate: 54.0
Mbps
(1213158.340000) Lease requested
wlanO: STA 00:25:00:b7:35:f6 IEEE 802.11: Client associated
OUT:BLOCK (9] Packet invalid in connection (TCP
192.168.1.66:59767->176.34.180.243:443 on ppp1) OUT;BLOCK [9] P.acket invalid in connection {TCP
192.168.1.66:56075->31.13.72.33:443 on ppp1) OUT: BLOCK [9] Packet invalid in connection (TCP
192.168.1.66 581:1:0->31.13.72.33:443 on ppp1)
BL.OCKED 2 more packets (because of Packet invalid in connection) OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:56251->31.13.72.33:443 on ppp1)
OUT:BLOCK [9] Packet invalid in connection (TCP
192.168.1.66:36959->31.13.72.33:443 on ppp1)
BlOCKED 1more packets (because of Packet invalid in connection)

It could be that the Ipod touch is having problems with both the 2.4GHz and 5GHz frequencies being named the same. If you give them separate SSids it may help. ie add a 5 to the 5GHz SSid.
If you do this you will need to re-connect all your devices that can see both frequencies to both SSids so that they will swap between the frequencies seamlessly when ever they need to
See link how to change SSid.
http://bt.custhelp.com/app/answers/detail/a_id/44504/related/1/session/L2F2LzEvdGltZS8xMzc1OTY2ODIxL...
Once you have changed the SSid I would delete the network connection on the Ipod touch and start again.

Office 2013 Click-to-Run Event Logs

Anyone know what the event logs are (Source, Event ID, etc) for Office 2013 Click-to-Run version? Specifically, I'm trying to find out when my installation was last updated (automatic updates are enabled). In general it would also be nice to know
what all of the different events are that the program will log.
Shaun

Hi,
To view the Office updates log, we can just go to Control Panel > All Control Panel Items > Windows Update and click
View update history.
If you want to know all the event logs related to Microsoft Office, we can use Event Viewer.
http://windows.microsoft.com/en-in/windows/open-event-viewer#1TC=windows-7
To find Office-related logs, click Event Viewer > Applications and Services Logs > Microsoft Office Alerts in the Event Viewer window.
Regards,
Steve Fan
Forum Support
Come back and mark the replies as answers if they help and unmark them if they provide no help.
If you have any feedback on our support, please click
here

Seemingly successful install of Exchange 2013 SP1 turns into many errors in event logs after upgrade to CU7

I have a new Exchange 2013 server with plans to migrate from my current Exchange 2007 Server.
I installed Exchange 2013 SP1 and the only errors I saw in the event log seemed to be long standing known issues that did not indicate an actual problem (based on what I read online).
I updated to CU7 and now lots of errors have appeared (although the old ones seem to have been fixed so I have that going for me).
Currently the Exchange 2013 server is not in use and clients are still hitting the 2007 server.
Issue 1)
After each reboot I get a Kernel-EventTracing 2 error. I cannot find anything on this on the internet so I have no idea what it is.
Session "FastDocTracingSession" failed to start with the following error: 0xC0000035
I did read other accounts of this error with a different name in the quotes but still can’t tell what this is or where it is coming from.
Issue 2)
I am still getting 5 MSExchange Common 106 errors even after reregistering all of the perf counters per this page:
https://support.microsoft.com/kb/2870416?wa=wsignin1.0
One of the perf counters fails to register using the script from the link above.
66 C:\Program Files\Microsoft\Exchange Server\V15\Setup\Perf\InfoWorkerMultiMailboxSearchPerformanceCounters.xml
New-PerfCounters : The performance counter definition file is invalid.
At C:\Users\administrator.<my domain>\Downloads\script\ReloadPerfCounters.ps1:19 char:4
+    New-PerfCounters -DefinitionFileName $f
+    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo
: InvalidData: (:) [New-PerfCounters], TaskException
    + FullyQualifiedErrorId : [Server=VALIS,RequestId=71b6bcde-d73e-4c14-9a32-03f06e3b2607,TimeStamp=12/18/2014 10:09:
   12 PM] [FailureCategory=Cmdlet-TaskException] 33EBD286,Microsoft.Exchange.Management.Tasks.NewPerfCounters
But that one seems unrelated to the ones that still throw errors.
Three of the remaining five errors are (the forum is removing my spacing between the error text so it looks like a wall of text - sorry):
Performance counter updating error. Counter name is Count Matched LowFidelity FingerPrint, but missed HighFidelity FingerPrint, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The
exception thrown is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items, item is matched with finger printing cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown
is : System.InvalidOperationException: The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Performance counter updating error. Counter name is Number of items in Malware Fingerprint cache, category name is MSExchange Anti-Malware Datacenter Perfcounters. Optional code: 3. Exception: The exception thrown is : System.InvalidOperationException:
The requested Performance Counter is not a custom counter, it has to be initialized as ReadOnly.
   at System.Diagnostics.PerformanceCounter.InitializeImpl()
   at System.Diagnostics.PerformanceCounter.set_RawValue(Int64 value)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.set_RawValue(Int64 value)
Last worker process info : System.ArgumentException: Process with an Id of 7384 is not running.
   at System.Diagnostics.Process.GetProcessById(Int32 processId)
   at Microsoft.Exchange.Diagnostics.ExPerformanceCounter.GetLastWorkerProcessInfo()
Issue 3)
I appear to have some issues related to the healthmailboxes.
I get MSExchangeTransport 1025 errors for multiple healthmailboxes.
SMTP rejected a (P1) mail from 'HealthMailbox23b10b91745648819139ee691dc97eb6@<my domain>.local' with 'Client Proxy <my server>' connector and the user authenticated as 'HealthMailbox23b10b91745648819139ee691dc97eb6'. The Active Directory
lookup for the sender address returned validation errors. Microsoft.Exchange.Data.ProviderError
I reran setup /prepareAD to try and remedy this but I am still getting some.
Issue 4)
I am getting an MSExchange RBAC 74 error.
(Process w3wp.exe, PID 984) Connection leak detected for key <my domain>.local/Admins/Administrator in Microsoft.Exchange.Configuration.Authorization.WSManBudgetManager class. Leaked Value 1.
Issue 5)
I am getting MSExchange Assistants 9042 warnings on both databases.
Service MSExchangeMailboxAssistants. Probe Time Based Assistant for database Database02 (c83dbd91-7cc4-4412-912e-1b87ca6eb0ab) is exiting a work cycle. No mailboxes were successfully processed. 2 mailboxes were skipped due to errors. 0 mailboxes were
skipped due to failure to open a store session. 0 mailboxes were retried. There are 0 mailboxes in this database remaining to be processed.
Some research suggested this may be related to deleted mailboxes however I have never had any actual user mailboxes on this server.
If they are healthmailboxes or arbitration mailboxes that might make sense but I am unsure of what to do on this.
Issue 6)
At boot I am getting an MSExchange ActiveSync warning 1033
The setting SupportedIPMTypes in the Web.Config file was missing.
Using default value of System.Collections.Generic.List`1[System.String].
I don't know why but this forum is removing some of my spacing that would make parts of this easier to read.

Hi Eric
Yes I have uninstalled and reinstalled Exchange 2013 CU7 for the 3<sup>rd</sup> time.
I realize you said one issue per forum thread but since I already started this thread with many issues I will at least post what I have discovered on them in case someone finds their way here from a web search.
I have an existing Exchange 2007 server in the environment so I am unable to create email address policies that are defined by “recipient container”.
If I try and do so I get “You can't specify the recipient container because legacy servers are detected.”
So I cannot create a normal email address policy and restrict it to an OU without resorting to some fancy filtering.
Instead what I have done is use PS to modify extensionAttribute1 (otherwise known as Custom Attribute 1 to exchange) for all of my users.
I then applied an address policy to them and gave it the highest priority.
Then I set a default email address policy for the entire organization.
After reinstalling Exchange all of my system mailboxes were created with the internal domain name.
So issue number 3 above has not come up.
For issue number one above I have created a new thread:
https://social.technet.microsoft.com/Forums/office/en-US/7eb12b89-ae9b-46b2-bd34-e50cd52a4c15/microsoftwindowskerneleventtracing-error-2-happens-twice-at-boot-ex2013cu7?forum=exchangesvrdeploy
For issue number four I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/2343730c-7303-4067-ae1a-b106cffc3583/exchange-error-id-74-connection-leak-detected-for-key?forum=exchangesvradmin
Issue number Five I have managed to recreate and get rid of in more than one way.
If I create a new database in ECP and set the database and log paths where I want, then this error will appear.
If I create the database in the default location and then use EMS to move it and set the log path, then the error will not appear.
The error will also appear (along with other errors) if I delete the health mailboxes and let them get recreated by restarting the server or the Health Manager service.
If I then go and set the retention period for deleted mailboxes to 0 days and wait a little while, these will all go away.
So my off hand guess is that these are caused by orphaned system mailboxes.
For issue number six I have posted to this existing thread where there is so far no resolution:
https://social.technet.microsoft.com/Forums/exchange/en-US/dff62411-fad8-4d0c-9bdb-037374644845/event-1033-msexchangeactivesync-warning?forum=exchangesvrmobility
So for the remainder of this thread we can try and tackle issue number two which is the perf counters.
The exact same 5 perf counter were coming up and this had been true each time I have uninstalled and reinstalled Exchange 2013CU7.
Actually to be more accurate a LOT of perf counter errors come up after the initial install, but reloading the perf counters using the script I posted above reduces it to the same five.
Using all of your suggestions so far has not removed these 5 remaining errors either. Since there is no discernible impact other than these errors at boot I am not seriously bothered by them but as will all event log errors, I would prefer
to make them go away if possible.

Event Log Help Links No Longer Working?

Have the help links in the Windows XP event log entries been discontinued?
They used to open up the Help and Support Center with further information about the Event Log error if it was available.
For some time now they have all just given a "page not found" error, which then re-directs to Bing with offered results that are no use at all!
This happens now on every XP system I've tried it on.
As a user of Windows 8.1 as well as XP, I'm well aware that the Windows 8 Event Log help links have never worked so far, but the XP ones always did, and despite the looming "End of Support" I can see no reason for all that information to have been
removed.
Any explanation for this?
Thanks, Dave Hawley.

Hi - thank you DaveHawley for the report. Just wanted to confirm that I've passed this on to the team that looks after the redirect service behind the "More Info" link.
There have been some major changes in how this redirection works over the years as well as in the last months. The most recent efforts added the option to enable use of the TechNet Wiki [sample]
to allow the community to comment & contribute for a given component. I'm only guessing here, but this might have accidentally impacted XP.
Thanks
Bruno

While Installation of 11g database creation time error ORA-28056: Writing audit records to Windows Event Log failed Error

Hi Friends,
OS = Windows XP 3
Database = Oracle 11g R2 32 bit
Processor= intel p4 2.86 Ghz
Ram = 2 gb
Virtual memory = 4gb
I was able to install the oracle 11g successfully, but during installation at the time of database creation I got the following error many times and I ignored it many times... but at 55% finally My installation was hanged nothing was happening after it.....
ORA-28056: Writing audit records to Windows Event Log failed Error and at 55% my Installation got hung,,,, I end the installation and tried to create the database afterward by DBCA but same thing happened....
Please some one help me out, as i need to install on the same machine .....
Thanks and Regards

AAP wrote:
Thanks Now I am able to Create a database , but with one error,
When I created a database using DBCA, at the last stage I got this error,
Database Configuration Assistant : Warning
Enterprise Manager Configuration Failed due to the Following error Listener is not up or database service is not registered with it. Start the listener & Registered database service & run EM Configuration Assistant again....
But when I checked the listener was up.....
Now what was the problem, I am able to connect and work through sqlplus,
But I didnt got the link of EM and when try to create a new connection in sql developer it is giving error ( Status : failure - Test Failed the Network Adapter could not establish the connection )
Thanks & Regards
Creation of the dbcontrol requires a connection via the listener. When configuring the dbcontrol as part of database creation, it appears that the dbcontrol creation step runs before the dynamic registration of the databsase with the listener is complete. Now that the database itself is completed and enough time (really, just a minute or two) has passed to allow the instance to register, use dbca or emca to create the dbcontrol.
Are you able to get a sqlplus connection via the listener (sqlplus scott/tiger@orcl)? That needs to be the first order of business.

When starting PSE 11 I receive "Adobe Photoshop 11 has stopped working and the app fails to start. I'm on Window 8.1 An event log error is thrown.

The event log details:
Faulting application name Phtoshopelementseditor.exe verion 11.0.0.0
Faulting module name AdobeSWFL.dll version 2.0.0.11360 time stamp 0x4ccfbe7c
exception code 0x0000005
fault offset 0x0005962e
faulting process id 0x3418
faulting path point to PhotoshopElementsEditor.exe
I had not run this on my PC for month. When I tried last week I received this error.
I restored back to a restore point in early May but had the same issue.
When I purchased the product I received a download but can't find the download to try a re-install.

Hi,
You should be able to download from here.
Download Photoshop Elements products | 11, 10
It would be better to ask these questions in the Photoshop Elements forum
Photoshop Elements
A moderator may be able to move this thread for you.
Good luck
Brian

ESE - Event Log Warning: 906 - A significant portion of the database buffer cache has been written out to the system paging file...

Hello -
We have 3 x EX2010 SP3 RU5 nodes in a cross-site DAG.
Multi-role servers with 18 GB RAM [increased from 16 GB in an attempt to clear this warning without success].
We run nightly backups on both nodes at the Primary Site.
Node 1 backup covers all mailbox databases [active & passive].
Node 2 backup covers the Public Folders database.
The backups for each database are timed so they do not overlap.
During each backup we get several of these event log warnings:
Log Name:      Application
Source:        ESE
Date:          23/04/2014 00:47:22
Event ID:      906
Task Category: Performance
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      EX1.xxx.com
Description:
Information Store (5012) A significant portion of the database buffer cache has been written out to the system paging file. This may result in severe performance degradation.
See help link for complete details of possible causes.
Resident cache has fallen by 42523 buffers (or 27%) in the last 903 seconds.
Current Total Percent Resident: 26% (110122 of 421303 buffers)
We've rescheduled the backups and the warning message occurences just move with the backup schedules.
We're not aware of perceived end-user performance degradation, overnight backups in this time zone coincide with the business day for mailbox users in SEA.
I raised a call with the Microsoft Enterprise Support folks, they had a look at BPA output and from their diagnostics tool. We have enough RAM and no major issues detected.
They suggested McAfee AV could be the root of our problems, but we have v8.8 with EX2010 exceptions configured.
Backup software is Asigra V12.2 with latest hotfixes.
We're trying to clear up these warnings as they're throwing SCOM alerts and making a mess of availability reporting.
Any suggestions please?
Thanks in advance

Having said all that, a colleague has suggested we just limit the amount of RAM available for the EX2010 DB cache
Then it won't have to start releasing RAM when the backup runs, and won't throw SCOM alerts
This attribute should do it...
msExchESEParamCacheSizeMax
http://technet.microsoft.com/en-us/library/ee832793.aspx
Give me a shout if this is a bad idea
Thanks

Vista got corrupt after power failure. sfc reports error and Event log service is unable to start itself.

Hi,
After a sudden power failure, I guess vista file system is corrupt.   I am able to start vista in normal mode, but it seems there are errors like Event Log service unable to start itself, when I start IE, it closes automatically ,
Norton antivirus does not start itself. and so on.
After Bing search, I went to safe mode and executed sfc /scannow and it reported error as below.
"Windows resource protection found corrupt files but was unable to fix some of them"
Unfortunately I am unable to upload log file, so I am pasting CBS.log content here....   Please advice.
Some parts of logs are removed due to limit of 60000 characters.
Please advice.
Regards
2014-07-07 14:55:57, Info                  CBS    Loaded Servicing Stack v6.0.6002.18005 with Core: C:\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_0b4ada54c46c45b0\cbscore.dll
2014-07-07 14:55:58, Info                  CSI
00000001@2014/7/7:09:25:58.062 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x7147854e @0x714563a1 @0x341392 @0x341ed4 @0x3417cb)
2014-07-07 14:55:58, Info                  CSI
00000002@2014/7/7:09:25:58.156 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x714ae7b6 @0x71490f93 @0x341392 @0x341ed4 @0x3417cb)
2014-07-07 14:55:58, Info                  CSI
00000003@2014/7/7:09:25:58.187 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x6e9c8a50 @0x73981a0d @0x73981794 @0x34360b @0x342be3 @0x3417cb)
2014-07-07 14:55:58, Info                  CBS    NonStart: Checking to ensure startup processing was not required.
2014-07-07 14:55:58, Info                  CBS    NonStart: Windows is in Safe Mode.
2014-07-07 14:55:58, Info                  CSI    00000004 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL,
phase = 0, pdwDisposition = @0x2dfe70
2014-07-07 14:55:58, Info                  CBS    NonStart: Success, startup processing not required as expected.
2014-07-07 14:55:58, Info                  CSI    00000005 CSI Store 4780952 (0x0048f398) initialized
2014-07-07 14:56:03, Info                  CSI    00000006 [SR] Verifying 100 (0x00000064) components
2014-07-07 14:56:03, Info                  CSI    00000007 [SR] Beginning Verify and Repair transaction
2014-07-07 14:56:10, Info                  CSI    00000008 Repair results created:
POQ 0 starts:
     0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\ca20037dc599cf01650000007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    1: Move File: Source = [l:218{109}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa070f7dc599cf01660000007806a403.program_files_ffd0cbfc813cc4f1.cdf-ms", Destination = [l:130{65}]"\SystemRoot\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms"
    2: Move File: Source = [l:244{122}]"\SystemRoot\WinSxS\Temp\PendingRenames\6aca137dc599cf01670000007806a403.program_files_common_files_d7a65bb2f0e854e7.cdf-ms", Destination = [l:156{78}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_d7a65bb2f0e854e7.cdf-ms"
    3: Move File: Source = [l:278{139}]"\SystemRoot\WinSxS\Temp\PendingRenames\2a8d187dc599cf01680000007806a403.program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms", Destination = [l:190{95}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_818c5a0e45020fba.cdf-ms"
    4: Move File: Source = [l:286{143}]"\SystemRoot\WinSxS\Temp\PendingRenames\4ab11f7dc599cf01690000007806a403.program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms", Destination = [l:198{99}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_3c86e3db0b3b254c.cdf-ms"
    5: Move File: Source = [l:292{146}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa12227dc599cf016a0000007806a403.program_files_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms", Destination = [l:204{102}]"\SystemRoot\WinSxS\FileMaps\program_files_common_files_microsoft_shared_ink_en_7a951cedcb9a5105.cdf-ms"
    6: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa28487dc599cf016b0000007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    7: Move File: Source = [l:208{104}]"\SystemRoot\WinSxS\Temp\PendingRenames\6aeb4c7dc599cf016c0000007806a403.$$_ehome_40103e2da1d
2014-07-07 14:56:10, Info                  CSI    121de.cdf-ms", Destination = [l:120{60}]"\SystemRoot\WinSxS\FileMaps\$$_ehome_40103e2da1d121de.cdf-ms"
POQ 0 ends.
2014-07-07 14:56:10, Info                  CSI    00000009 [SR] Verify complete
2014-07-07 14:56:11, Info                  CSI    0000000a [SR] Verifying 100 (0x00000064) components
2014-07-07 14:56:11, Info                  CSI    0000000b [SR] Beginning Verify and Repair transaction
2014-07-07 14:56:19, Info                  CSI    0000000c Repair results created:
POQ 1 starts:
POQ 42 ends.
2014-07-07 14:58:29, Info                  CSI    000000b1 [SR] Verify complete
2014-07-07 14:58:30, Info                  CSI    000000b2 [SR] Verifying 100 (0x00000064) components
2014-07-07 14:58:30, Info                  CSI    000000b3 [SR] Beginning Verify and Repair transaction
2014-07-07 14:58:38, Info                  CSI    000000b4 Repair results created:
POQ 43 starts:
     0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a5ad3d4c599cf01391100007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a5ad3d4c599cf013a1100007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    2: Move File: Source = [l:234{117}]"\SystemRoot\WinSxS\Temp\PendingRenames\cadfdcd4c599cf013b1100007806a403.$$_help_windows_en-us_b594929e73669c5e.cdf-ms", Destination = [l:146{73}]"\SystemRoot\WinSxS\FileMaps\$$_help_windows_en-us_b594929e73669c5e.cdf-ms"
    3: Move File: Source = [l:228{114}]"\SystemRoot\WinSxS\Temp\PendingRenames\2a41dfd4c599cf013c1100007806a403.$$_help_help_en-us_91e6e7979a9bf9c6.cdf-ms", Destination = [l:140{70}]"\SystemRoot\WinSxS\FileMaps\$$_help_help_en-us_91e6e7979a9bf9c6.cdf-ms"
    4: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\ea0ef7d4c599cf013d1100007806a403.$$_apppatch_1143992cbbbebcab.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_apppatch_1143992cbbbebcab.cdf-ms"
    5: Move File: Source = [l:218{109}]"\SystemRoot\WinSxS\Temp\PendingRenames\ea241dd5c599cf013e1100007806a403.program_files_ffd0cbfc813cc4f1.cdf-ms", Destination = [l:130{65}]"\SystemRoot\WinSxS\FileMaps\program_files_ffd0cbfc813cc4f1.cdf-ms"
    6: Create Directory: Directory = [l:48{24}]"\??\C:\Program Files\MSN", Attributes = 00000080
POQ 43 ends.
2014-07-07 14:58:38, Info                  CSI    000000b5 [SR] Verify complete
2014-07-07 14:58:38, Info                  CSI    000000b6 [SR] Verifying 100 (0x00000064) components
2014-07-07 14:58:38, Info                  CSI    000000b7 [SR] Beginning Verify and Repair transaction
2014-07-07 14:58:43, Info                  CSI    000000b8 Repair results created:
POQ 44 starts:
     0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\eac6f0d7c599cf01a31100007806a403._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
    1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa89f5d7c599cf01a41100007806a403.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
    2: Move File: Source = [l:216{108}]"\SystemRoot\WinSxS\Temp\PendingRenames\6a4cfad7c599cf01a51100007806a403.$$_resources_fbee56ab048ab239.cdf-ms", Destination = [l:128{64}]"\SystemRoot\WinSxS\FileMaps\$$_resources_fbee56ab048ab239.cdf-ms"
    3: Move File: Source = [l:230{115}]"\SystemRoot\WinSxS\Temp\PendingRenames\caadfcd7c599cf01a61100007806a403.$$_resources_themes_4d0d4910e83c2273.cdf-ms", Destination = [l:142{71}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_4d0d4910e83c2273.cdf-ms"
    4: Move File: Source = [l:240{120}]"\SystemRoot\WinSxS\Temp\PendingRenames\caadfcd7c599cf01a71100007806a403.$$_resources_themes_aero_3fd78bf4cb5fa2c4.cdf-ms", Destination = [l:152{76}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_3fd78bf4cb5fa2c4.cdf-ms"
    5: Move File: Source = [l:252{126}]"\SystemRoot\WinSxS\Temp\PendingRenames\8a7001d8c599cf01a81100007806a403.$$_resources_themes_aero_shell_a91dfa5124b343c4.cdf-ms", Destination = [l:164{82}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_shell_a91dfa5124b343c4.cdf-ms"
    6: Move File: Source = [l:276{138}]"\SystemRoot\WinSxS\Temp\PendingRenames\aa9408d8c599cf01a91100007806a403.$$_resources_themes_aero_shell_normalcolor_10be8ec981b35fb6.cdf-ms", Destination = [l:188{94}]"\SystemRoot\WinSxS\FileMaps\$$_resources_themes_aero_shell_normalcolor_10be8ec981b35fb6.cdf-ms"
    7: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\cab80fd8c599cf01aa1100007806a403.$$_schcache_f995a5d4decb8cc0.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_schcache_f995a5d4decb8cc0.cdf
2014-07-07 14:58:43, Info                  CSI    -ms"
    8: Move File: Source = [l:212{106}]"\SystemRoot\WinSxS\Temp\PendingRenames\cad948d8c599cf01ab1100007806a403.$$_msagent_be90584645cb9b95.cdf-ms", Destination = [l:124{62}]"\SystemRoot\WinSxS\FileMaps\$$_msagent_be90584645cb9b95.cdf-ms"
    9: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\4a7578d8c599cf01ac1100007806a403.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
    10: Move File: Source = [l:242{121}]"\SystemRoot\WinSxS\Temp\PendingRenames\cafa81d8c599cf01ad1100007806a403.$$_system32_manifeststore_7d35b12f9be4c20e.cdf-ms", Destination = [l:154{77}]"\SystemRoot\WinSxS\FileMaps\$$_system32_manifeststore_7d35b12f9be4c20e.cdf-ms"
    11: Move File: Source = [l:224{112}]"\SystemRoot\WinSxS\Temp\PendingRenames\aae18dd8c599cf01ae1100007806a403.$$_msagent_chars_9a5bcb5da392f588.cdf-ms", Destination = [l:136{68}]"\SystemRoot\WinSxS\FileMaps\$$_msagent_chars_9a5bcb5da392f588.cdf-ms"
POQ 107 ends.
2014-07-07 15:08:01, Info                  CSI    00000213 [SR] Repair complete
2014-07-07 15:08:01, Info                  CSI    00000214 [SR] Committing transaction
2014-07-07 15:08:01, Info                  CSI    00000215 Creating NT transaction (seq 1), objectname [6]"(null)"
2014-07-07 15:08:01, Info                  CSI    00000216 Created NT transaction (seq 1) result 0x00000000, handle @0x4cc
2014-07-07 15:08:01, Info                  CSI
00000217@2014/7/7:09:38:01.060 CSI perf trace:
CSIPERF:TXCOMMIT;5
2014-07-07 15:08:01, Info                  CSI    00000218 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction
have been successfully repaired
2014-07-07 15:15:58, Info                  CBS    Scavenge: Package store indicates there is no component to scavenge, skipping.

Hi,
First, I would suggest you using last known good configuration:
Using Last Known Good Configuration
http://windows.microsoft.com/en-in/windows/using-last-known-good-configuration#1TC=windows-vista
if this cannot bring your Windows Vista back to good state, I suggest you perform in-place upgrade to fix the corrupted files:
How to Perform an In-Place Upgrade on Windows Vista, Windows 7, Windows Server 2008 & Windows Server 2008 R2
http://support.microsoft.com/kb/2255099/en-us
If you have any feedback on our support, please click
here
Alex Zhao
TechNet Community Support

Get-WinEvent is very very slow - More thant 45 minutes searching for event 4729 in a 1 million event log (512 MB size) - Super Hardware

Someone removed a user from a group, we´re tryingo to track down, who made it
I´m using:
get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729} | Export-Csv -Path c:\temp\SERVERNAME_4729.log -NoTypeInformation
or
get-eventlog -LogName security -ComputerName SERVERNAME | Where-Object {$_.EventID -eq 4729}
The DC have 4 GB of RAM, 4 vCPUs in a Dell PE R420 with SAS 15K disks, it´s very fast hardware/response time
The DC have more than 955.000 events in the last 15 days, 512 MB file size for the .EVTX
The search takes more than 45 minutes to finish
It´s acceptable? I have the felling that this procedure will take no more than 5 minutes to do the search and grab the results

This will be much faster:
get-eventlog -LogName security -ComputerName SERVERNAME -InstanceID 4729 |
Export-Csv -Path c:\temp\SERVERNAME_4729.CSV -NoTypeInformation
The method you used returns every record in the log then filters. This method filters the remote search remotely and in the query. It only returns records that have that ID.
¯\_(ツ)_/¯

Oracle 10g XE Event Logs - Please help

I'm running 10g XE on a Virtual 2003 Server. My Applicatin Event Logs the following events. I will get up to 20 events per minutes. I have posted the event description. Please advise. Thank you,
The description for Event ID ( 5 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: QMNC, xe.
The description for Event ID ( 16 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: xe.
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: [Server FQDN stated in this area]: 0 .

Hi Jab
The last event is something Oracle logs per default. Every time someone logs in with sysdba privileges, it is logged to the event log. Read more in the manual
Security guide, chapter 8
Try to check the parameter
AUDIT_TRAIL
in the database
show parameter AUDIT_TRAIL
If it is set to OS and you have enabled auditing, then more events are written to the event log.
Best wishes,
Kennie
The description for Event ID ( 34 ) in Source ( Oracle.xe ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: ACTION : 'CONNECT' DATABASE USER: '/' PRIVILEGE : SYSDBA CLIENT USER: NT AUTHORITY\SYSTEM CLIENT TERMINAL: Server FQDN stated in this area: 0 .

Event log entries missing in PoSh but visible in Eventvwr

Hi,
I've noticed the following issue on about 10 out of 2500 computers which run a script on our domain, so its minor, but I'd like to understand why its happening.
When I query the event log using the eventvwr GUI I can filter on event ID 7001 and all the events list fine. However when I run 'get-eventlog -logname system -instanceid 7001' it shows all the events except the last 3 or so most recent ones (which are visible
in the GUI).
I've cross referenced this with an event visible in the GUI that had an EventRecordID of 32029. But when querying this via PowerShell 'get-eventlog -logname system -index 32029' it returns 'no matches found'.
Its a weird problem, because if I was to query to logs in a few hours time after a few more people have logged on/off the computer then the event would show in PowerShell, but the new most recent ones wouldn't.
Is there a caching mechanism at work, and if so how could I disable it? Its interesting that these machines are all built from the same WDS image with the same GPO's applied but only a very small percentage exhibit this issue, all other machines show recent
event logs in PowerShell instantly.
I should also mention that these are all Windows 7 x64 computers.
Any help appreciated.
Thanks,
Phil

Hi,
Based on my understanding, only some of your computers have this issue. And when use WMI, we could query all of the events, but when use powershell command, some logs are missing.
I would like to know that when we use 'get-eventlog -logname system -instanceid 7001| out-file c:\result.txt', how many logs are there?
What I think it may caused by there are so many logs information, and could not be dispalyed out. We may try some other logs also.
Regards,
Yan Li
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

The Data Access service is either not running or not yet initialized. Check the event log for more information

Hi,
I have SCSM with remote SQL and the SCSM Management server give below error
Message: Failed to connect to server ‘Name of Server’
Microsoft.EnterpriseManagement.Common.ServiceNotRunningException: The Data Access service is either not running or not yet initialized. Check the event log for more information. —> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://ServerName:5724/DispatcherService.
The connection attempt lasted for a time span of 00:00:04.0070932. TCP error code 10061: No connection could be made because the target machine actively refused it IPAddress:5724. —> System.Net.Sockets.SocketException: No connection could be made
because the target machine actively refused it IPAddress:5724
I had try to restart SQL & MS with same error,
Also i had try the following
https://social.technet.microsoft.com/Forums/systemcenter/en-US/c670d54d-3a92-481f-8dc9-55c475ad196f/problems-with-data-access-service-after-rebooting
https://social.technet.microsoft.com/Forums/systemcenter/en-US/26dc1d5c-fa82-403f-8949-3073f3b82a60/the-data-access-service-is-either-not-running-or-not-yet-initialized
Not help meRegards

I had same error before
below steps to solve it
Make sure SQL Server Running & ServiceManager Database not full
Stop All SCSM Services,
System Center Management Configuration
Microsoft System Center Data Access Service.
Microsoft Monitoring Agent
Rename Health Service State to Health Service State_old --- @ "C:\Program Files\Microsoft System Center 2012 R2\Service Manager"
Start SCSM Services
Microsoft Monitoring Agent
System Center Management Configuration
Microsoft System Center Data Access Service.
Wait 2 min...
check Event Viewer...
hope this help you.
Regards, Ibrahim Hamdy

Event logs on last 3 Halts

Similar Messages

Maybe you are looking for